SRX

Expand all | Collapse all

Route all VLAN traffic to specific public IP

  • 1.  Route all VLAN traffic to specific public IP

    Posted 01-26-2021 14:04
    I have a public static /29 available to untrust on ge-0/0/0 on an SRX-240. Currently, all outbound traffic is seen to be coming from 1.2.3.2/29. I have an internal VLAN on ge-0/0/14.81 where I want to route all inbound/outbound traffic through public static IP 1.2.3.3/29. So far I have:

    set interfaces ge-0/0/14 vlan-tagging
    set interfaces ge-0/0/14 unit 81 description vlan81
    set interfaces ge-0/0/14 unit 81 vlan-id 81
    set interfaces ge-0/0/14 unit 81 family inet address 100.64.81.1/24
    set vlans vlan81 vlan-id 81
    set security zones security-zone vlan81 interfaces ge-0/0/14.81 host-inbound-traffic system-services ping
    set security nat source rule-set vlan81 from zone vlan81
    set security nat source rule-set vlan81 to zone Internet
    set security nat source rule-set vlan81 rule vlan81 match source-address 0.0.0.0/0
    set security nat source rule-set vlan81 rule vlan81 match destination-address 0.0.0.0/0
    set security nat source rule-set vlan81 rule vlan81 then source-nat interface
    set security policies from-zone vlan81 to-zone Internet policy vlan81 match source-address any
    set security policies from-zone vlan81 to-zone Internet policy vlan81 match destination-address any
    set security policies from-zone vlan81 to-zone Internet policy vlan81 match application any
    set security policies from-zone vlan81 to-zone Internet policy vlan81 then permit
    ​


     I believe I need to alter my NAT rules and maybe add a default route for all things coming from vlan81?

    Edit: I added this static route, it didn't work, so I must be missing something still:

    set routing-options static route 100.64.81.0/24 next-hop 1.2.3.3


  • 2.  RE: Route all VLAN traffic to specific public IP

     
    Posted 01-26-2021 17:42
    The nat interface option puts your traffic on the interface ip address.  To have the traffic nat to 1.2.3.3 you need to create a pool and use that and add proxy arp for the address to your public interface.

    set security nat source rule-set vlan81 rule vlan81 then source-nat VLAN81
    set security nat source pool VLAN81 1.2.3.3/32
    
    set proxy-arp interface ge-0/0/0.0 address 1.2.3.3

    You should also restrict the source match condition to just the addresses that will come from vlan 81.  This is how you make sure only those devices use the particular address.

    Here is the general example document for all the nat scenarios.
    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Route all VLAN traffic to specific public IP

    Posted 01-26-2021 18:05
    I added these lines:

    set security nat proxy-arp interface ge-0/0/0.0 address 1.2.3.3/32
    set security nat source pool vlan81 address 1.2.3.3/32
    set security nat source rule-set vlan81 rule vlan81 then source-nat pool vlan81​


    Now it doesn't seem to pass traffic. I had it working before where it just used the 1.2.3.2 public static IP configured on ge-0/0/0.0, but that didn't route me to 1.2.3.3.




  • 4.  RE: Route all VLAN traffic to specific public IP

     
    Posted 01-27-2021 05:45
    Can you pull the session information with both rules so we can see the difference in action.
    Use the ip address of your test system in source-prefix
    show security flow session source-prefix 100.64.81.#/32

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Route all VLAN traffic to specific public IP

    Posted 02-02-2021 15:54

    Here are a couple in the 100.64.81.0/24

    show security flow session source-prefix 100.64.81.0/24
    Session ID: 278, Policy name: vlan81/21, Timeout: 1758, Valid
      In: 100.64.81.6/44277 --> 74.125.195.188/5228;tcp, If: ge-0/0/14.81, Pkts: 863, Bytes: 47522
      Out: 74.125.195.188/5228 --> 47.44.189.26/31068;tcp, If: ge-0/0/0.0, Pkts: 885, Bytes: 83404
    
    Session ID: 468, Policy name: vlan81/21, Timeout: 1776, Valid
      In: 100.64.81.6/50414 --> 74.125.28.188/5228;tcp, If: ge-0/0/14.81, Pkts: 1139, Bytes: 67525
      Out: 74.125.28.188/5228 --> 47.44.189.26/12731;tcp, If: ge-0/0/0.0, Pkts: 881, Bytes: 57799
    
    Session ID: 1269, Policy name: vlan81/21, Timeout: 1686, Valid
      In: 100.64.81.5/51051 --> 67.195.231.27/443;tcp, If: ge-0/0/14.81, Pkts: 17, Bytes: 2410
      Out: 67.195.231.27/443 --> 47.44.189.26/6676;tcp, If: ge-0/0/0.0, Pkts: 14, Bytes: 7374
    
    Session ID: 1386, Policy name: vlan81/21, Timeout: 1526, Valid
      In: 100.64.81.5/34317 --> 52.70.7.105/443;tcp, If: ge-0/0/14.81, Pkts: 324, Bytes: 144098
      Out: 52.70.7.105/443 --> 47.44.189.26/5367;tcp, If: ge-0/0/0.0, Pkts: 198, Bytes: 29367
    
    Session ID: 2280, Policy name: vlan81/21, Timeout: 1790, Valid
      In: 100.64.81.5/49830 --> 142.250.11.120/443;tcp, If: ge-0/0/14.81, Pkts: 459, Bytes: 135085
      Out: 142.250.11.120/443 --> 47.44.189.26/30481;tcp, If: ge-0/0/0.0, Pkts: 603, Bytes: 59814
    
    Session ID: 2630, Policy name: vlan81/21, Timeout: 1776, Valid
      In: 100.64.81.5/51129 --> 72.21.81.208/443;tcp, If: ge-0/0/14.81, Pkts: 21, Bytes: 2651
      Out: 72.21.81.208/443 --> 47.44.189.26/12625;tcp, If: ge-0/0/0.0, Pkts: 18, Bytes: 9599
    
    Session ID: 2709, Policy name: vlan81/21, Timeout: 28, Valid
      In: 100.64.81.6/30006 --> 199.71.143.216/3478;udp, If: ge-0/0/14.81, Pkts: 10566, Bytes: 760756
      Out: 199.71.143.216/3478 --> 47.44.189.26/24154;udp, If: ge-0/0/0.0, Pkts: 10527, Bytes: 884268​



  • 6.  RE: Route all VLAN traffic to specific public IP

     
    Posted 02-02-2021 19:36
    I was looking to compare the working sessions with interface nat versus the non-working ones from the nat pool.

    Also can you confirm there are no other nat source rules in the  rule group from vlan81 to internet.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------